Info: Venafi Trust Protection Platform 17.1 is Released
What's new in Venafi Trust Protection Platform 17.1
Server Certificate features
CyberArk credential integration Leverage passwords stored in CyberArk Safes for provisioning certificates to devices use username credentials. This feature eliminates the need to keep credentials in Trust Protection Platform up-to-date. Instead, CyberArk manages the credentials in accordance with security best practices.
Support for Elliptic Curve Cryptography (ECC) Are you migrating to ECC certificates? Trust Protection Platform now has support for generating ECC private keys and CSRs for enrollment or renewal. Use the Trust Protection Platform -supported CAs that offer that support through their APIs. You can also use the Web SDK to create certificates that use ECC encryption.
SUDO agentless certificate installation Apache, GSK, iPlanet, JKS, PEM, and PKCS#12 certificate installation types have been updated to support SUDO when installing and validating certificates with SSH.
Updated Citrix NetScaler Certificate Installation Driver NetScaler Driver has been updated to transition from the SSH CLI to the new Nitro API. Along with this, comes support for binding certificates to Services and Service Groups, certificates used in SNI configurations, and provisioning of password encrypted private keys.
Citrix NetScaler onboard discovery (BETA) Provide Trust Protection Platform with the IP address and credentials to your NetScaler appliances and let Trust Protection Platform do the rest. This feature can discover certificates and the associated configuration on your NetScalers for a true turnkey experience to rotate certificates. Request a BETA license.
Schedule certificate installations in Aperture When approving workflows for provisioning certificates, you can schedule certificate installation to devices to occur at a future time. The scheduling process streamlines certificate installation during maintenance windows. Feature introduced in Web Admin in 14.4 - now available in Aperture.
Improved Installation Type filter in Aperture Our Installation Type Filter is now more accessible. It easier to find certificates that are configured with or without installations.
Improved Aperture Status column Certificate Inventory Status column now has two columns to show risks and status. The Status column shows a life cycle stage, like "Renewing" or "Pending My Approval", so you always know the status of your certificates. The Risks column shows one or more tags, like "Unapproved Issuer" and/or "No Local Dual Control", so you see reasons for delays. Certificate Overview Banner has been updated to only show "Status" information, instead of Risk.
Add new certificate installations in Aperture Whether you want to track additional locations for nightly validation or you want to configure the automatic installation of a certificate, you can now easily add new installations to your certificate in Aperture using the "Add Installation" action. It is also much easier to select the correct Installation Type with a new Installation selector that features improved friendly names and descriptions of the installation drivers available in Aperture.
Improved certificate installation configuration Aperture has been improved so that configuring certificates for automatic installation is easier. For example, fields are hidden when not needed. The Installation Interface is also hidden unless a Server Agent is installed on the device. Port, Device, and Installation Credentials are hidden when configured to use an Agent. Installation Credential and Port are hidden by default in "Advanced Connection Settings". You can now view the last person who clicked "Install" for certificate and when installation occurred. Other useful information, like the folder where the device is stored, in is also available.
Add credentials for certificate installations When configuring a certificate for installation, you can add new connection and keystore credentials on-the-fly. The information appears in the Trust Protection Platform inventory.
View previous versions of certificates Each time a certificate renews, you can now see the details of previous certificate versions In Aperture, more features are coming to this area in 17.2
VCert Utility enhancements Some minor enhancements for the VCert Utility make it easier for DevOps personnel to use.
Enhance security for private key re-use The Policy "Allow Private Key Re-Use (User Provided CSR)" has been relabeled to "Allow Users to Import Duplicate Certificates and Reuse Private Keys" in Aperture. When set to "No" (default setting), it will prevent duplicate certificates from being imported by file, retrieved in web admin, or discovered via "Instant Discovery". It will prevent two different certificate items in inventory from referencing the same certificate. Like before, it will also continue to prevent uploading of User Provided CSRs that are signed with a private key that has been previously used.
Last renewed/installed In Aperture, it is easy to filter, view, and report on who last clicked "Renew Now" for a certificate. When approving a workflow for renewal, installation, or revocation, you can who initiated the action on the approval screen.
CAPI certificate installation driver update The Common Application Programming Interface (CAPI) driver has been updated so that "Set-ExecutionPolicy" prerequisite is no longer required when binding a certificate to IIS.
SSH product features
Agentless integration with Privileged Access Management (PAM) Now, you can enter a customized PAM command and credential to integrate with centralized PAM solutions, like PowerBroker.
Device connection policy In this release, a policy now contains all configurations for devices or groups of devices. Configurations appear in a standardized way to connect to SSH Servers for agentless management.
On demand scans You can easily select one or more devices to perform on-demand scans of systems.
Improved device details interface Now, it's easier to see the authorized clients on a given device.
Adaptable Log Channel The Adaptable Framework has been extended to the log system. You can trigger custom PowerShell scripts based on any event in Trust Protection Platform. Write your scripts to edit data, push data, or pull data. The Adaptable Log Channel allows you to add custom business logic within Trust Protection Platform.
Amazon Web Services (AWS) Instance monitoring When you provide your AWS credentials, Trust Protection Platform automatically keeps your inventory up to date even when EC2 instances are terminated. For example, when systems which use certificates terminate, Trust Protection Platform can automatically disable, revoke, delete, or move certificate installations to other devices.
Discover Server Agents on VMware, AWS and Azure You can now discover which Server Agents are running on VMware, Amazon Web Services (AWS), and Microsoft Azure, and discover the unique ID of each virtual machine. This new feature makes it easier to integrate with orchestration tools, such as Chef and Puppet, and helps you keep agent, certificate, and SSH inventory up-to-date. Installed Server Agents collect and report the system manufacturer and virtual machine IDs of the virtual machines on which they're running. After the Server Agent reports back to the Trust Protection Platform server, you can then see the data on the Agent List view in Aperture™.
Microsoft SQL Server AlwaysOn availability group support Trust Protection Platform now supports the use of availability groups within Microsoft SQL. Trust Protection Platform can now point to an Availability Group listener for connectivity to the database. The Availability Group listeners always present the Primary SQL server in the Availability Group.
Encrypted connection to Microsoft SQL Trust Protection Platform now supports the configuration to always require a secure/encrypted connection to the DB.
Usage report A new automatic report collects high level information of how the product is used so that administrators and Trust Protection Platform can focus on improving the features your organization uses the most. You can use the Venafi Control Center (VCC) utility to configure a Usage Report and licensing report to send to Venafi.
Aperture System Status dashboard Monitor your system status at a glance. See important details like the of number Trust Protection Platform servers, and server patch version. Gain visibility into what components are installed on each server and if Trust Protection Platform services are up or down. The same information is available via new Web SDK API.
Aperture license widgets On the new System Status Dashboard, you can easily see the license consumption for your organization.
New user/group entitlements view In Aperture, visit the new "Identity" section under Inventory. You'll be able to easily see what permissions a user or group have been given anywhere in Trust Protection Platform. Feature only available to Master Administrators.
Effective permissions and permission troubleshooting When viewing the permissions for any item in Aperture, you'll be able to see the inherited permissions for higher folders in the folder structure. Also able to analyze permissions to see where they are set and what identity they are applied to. For example, compare the permissions for two users on a certificate when one person has a working set of permissions and the other person is missing functionality.
Trust Protection Platform Support Center (VSC) A new support utility that is packaged with Trust Protection Platform that will make more information available where troubleshooting or debugging is required. Typically used when working with Trust Protection Platform Customer Support.
Microsoft SQL Server 2016 compatible Trust Protection Platform now considers Microsoft SQL Server 2016 as a compatible database version to host the Trust Protection Platform database.
Disaster recovery A new section of the documentation discusses recommended options for implementing a Disaster Recovery plan for your organization.
Support for Windows 2016 The Trust Protection Platform Server Agent is now officially supported on Microsoft Windows Server 2016.
Collect information from cloud and virtual platforms When the agent is installed on a VM running on VMware, Amazon Web Services, or Azure, the agent now collects the Virtual Machine ID and reports it to Trust Protection Platform. On Amazon Web Services, the Region is collected as well. This data is available through Web SDK, Aperture, and Custom Reports.
Improved Web SDK Optionally delete the linked device from inventory when you use the Web SDK to delete the Agent/Client record in Trust Protection Platform. New API to view all Agent/Client details.
Improved Certificate discovery Server Agent now discovers and places the Alias/Label for PKCS12 and IBM (CMS) Keystores.
Adaptable App Documentation now describes the Adaptable App driver.
Certificates/CyberArk A new set of methods is available to securely create, and update credential data from a CyberArk application to Trust Protection Platform.
Certificates/Guid The new unassigned ManagementType shows that enrolled or monitored by Trust Protection Platform. The documentation samples now explain return values.
Certificates/Request The Certificates/Request method has multiple additions and changes, including ECC Support, EllipticCurve and a new KeyAlgorithm to support ECC parameters
To support Amazon Web Services (AWS) Instance monitoring, the CloudService, CloudRegion, CloudInstanceID parameters have been added.
Additional documentation changes show valid DriverName parameters.
Client programming Interface The new Client Programming interfaces allows you to manage information about the various types of registered agents. For example, you can view agent status, a group of agents, or information about agents such the VM ID and region.
Config/Delete The documentation now describes how to remove certificates from a container or policy folder.
ConnectDirect The documentation now describes the ConnectDirect application object driver.